Re: Host.us DDOS attack -and- related conversations

[Mike Hammett <nanog () ics-il net>]

As discussed a few months ago (maybe Christmas time?), Comcast is actively suspending accounts involved in DNS 
amplification. Certainly on a network like theirs, it's an internal issue as well. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Ca By" <cb.list6 () gmail com> 
To: ahebert () pubnix net 
Cc: nanog () nanog org 
Sent: Wednesday, August 3, 2016 10:05:04 AM 
Subject: Re: Host.us DDOS attack -and- related conversations 

On Wednesday, August 3, 2016, Alain Hebert <ahebert () pubnix net> wrote: 

> Well, 
>
> I'm sorry. 
>
> That sound like the CloudFlare argument: You cannot fix the DDoSs 
> at the source because Elbonia can do it. The only solution is to pay 
> for protection. 
No. I hate the idea of paying for protection from a cloud or appliance. 

Elbonia just has the trigger. The loaded gun is the ddos reflector in 
comcast, cox, vz, and everyone else. 


> Between you and me, if only Elbonia are left DDoSing at 100Gbps, we 
> simply de-peer the commercial subnets from that country (leaving the 
> govt subnets up obviously) and see for them to deal with their trash 
> ISPs once for all. ( That's how we used to do it early on when the IIRC 
> flooding started ). 
There are known problematic networks. I have not seen any of them or their 
facilitating upstreams depeered. I can name 4 networks that source 75% of 
my attack attack traffic. Comcast was one due to their ssdp reflection, 
they stopped that now. But still lots of dns attacks from them. 

Or we keep getting DDoSed for the next 100+ years. 
>
On that track. 


> PS: Yes, the fictional country from the Dilbert syndicated cartoons. 
Swap in your favorite real world country / network that has very real abuse 
source reputation. 


> On a humorous note: 
>
> The DDoS protection lobby is our NRA. 
>
> ----- 
> Alain Hebert ahebert () pubnix net 
> <javascript:;> 
> PubNIX Inc. 
> 50 boul. St-Charles 
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 
>
> On 08/03/16 10:36, Ca By wrote: 
> > On Wednesday, August 3, 2016, Alain Hebert <ahebert () pubnix net 
> <javascript:;>> wrote: 
> > > Well, 
> > >
> > >
> > > Could it be related to the last 2 days DDoS of PokemonGO (which 
> > > failed) and some other gaming sites (Blizzard and Steam)? 
> > >
> > >
> > > And on the subject of CloudFlare, I'm sorry for that CloudFlare 
> > > person that defended their position earlier this week, but there may be 
> > > more hints (unverified) against your statements: 
> > >
> > > https://twitter.com/xotehpoodle/status/756850023896322048 
> > >
> > > That could be explored. 
> > >
> > >
> > > On top of which there is hints (unverified) on which is the real bad 
> > > actor behind that new DDoS service: 
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>  
> > > And I quote: 
> > >
> > > "One thing LeakedSource staff spotted was that the first payment 
> > > recorded in the botnet's control panel was of $1, while payments for the 
> > > same package plan were of $19.99." 
> > >
> > > ( Paypal payments btw ) 
> > >
> > >
> > > There is enough information, and damages, imho, to start looking for 
> > > the people responsible from a legal standpoint. And hopefully the 
> > > proper authorities are interested. 
> > >
> > > PS: 
> > >
> > > I will like to take this time to underline the lack of 
> > > participation from a vast majority of ISPs into BCP38 and the like. We 
> > > need to keep educating them at every occasion we have. 
> > >
> > > For those that actually implemented some sort of tech against 
> > > it, you are a beacon of hope in what is a ridiculous situation that has 
> > > been happening for more than 15 years. 
> > Bcp38 is not the issue. It is only the trigger, and as long as one 
> network 
> > in Elbonia allows spoofs, that one network can marshall 100s of gbs of 
> > ddos power. Years of telling people to do bcp38 has not worked. 
> >
> > The issue is for you and your neighbor to turn off your reflecting udp 
> > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block 
> > obvious ddos traffic. A healthy udp policer is also smart. I suggest 
> > taking a baseline of your normal peak udp traffic, and build a policer 
> that 
> > drops all udp that is 10x the baseline for bw and pps. 
> >
> > Bcp38 is good, but it is not the solution we need to tactically stop 
> > attacks. 
> >
> > This is not pretty. But it works at keeping your network up. 
> >
> > CB 
> >
> >
> > ----- 
> > > Alain Hebert ahebert () pubnix net 
> <javascript:;> 
> > > <javascript:;> 
> > > PubNIX Inc. 
> > > 50 boul. St-Charles 
> > > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 
> > > Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 
> > >
> > > On 08/03/16 09:41, Robert Webb wrote: 
> > > > Anyone have any additonal info on a DDOS attack hitting host.us? 
> > > >
> > > > Woke up to no email this morning and the following from their web site: 
> > > >
> > > >
> > > >
> > > > *Following an extortion attempt, HostUS is currently experiencing 
> > > sustained 
> > > > large-scale DDOS attacks against a number of locations. The attacks 
> were 
> > > > measured in one location at 300Gbps. In another location the attacks 
> > > > temporarily knocked out the entire metropolitan POP for a Tier-1 
> > > provider. 
> > > > Please be patient. We will return soon. Your understanding is 
> > > appreciated. 
> > > > * 
> > > >
> > > >
> > > > > From my monitoring system, looks like my VPS went unavailable around 
> > > 23:00 
> > > > EDT last night. 
> > > >
> > > > Robert